D-Link NetDefendOS User Manual page 502

the ALG. If the certificate is self-signed then the root and host certificate should both be set
to the same certificate. Certificate chaining is supported and more than one root certificate
can be configured.
3. Create a new custom Service object based on the TCP protocol.
4. Associate the TLS ALG object with the newly created service object.
5. Create a NAT or Allow IP rule for the targeted traffic and associate the custom service object
with it.
6. Optionally, a SAT rule can be created to change the destination port for the unencrypted
traffic. Alternatively an SLB_SAT rule can be used to do load balancing (the destination port
can also be changed through a custom service object).
URLs Delivered by Servers
It should be noted that using NetDefendOS for TLS termination will not change URLs in
webpages delivered by servers which lie behind the NetDefend Firewall.
What this means is that if a client connects to a web server behind the NetDefend Firewall using
the https:// protocol then any web pages delivered back containing absolute URLs with the
http:// protocol (perhaps to refer to other pages on the same site) will not have these URLs
converted to https:// by NetDefendOS. The solution to this issue is for the servers to use relative
URLs instead of absolute ones.
Cryptographic Suites Supported by NetDefendOS TLS
NetDefendOS supports a number of cryptographic algorithms for TLS. These can be enabled or
disabled globally using the advanced settings described in Section 13.9, "SSL/TLS Settings".
By default, only the four algorithms which are considered the most secure are enabled. It is not
recommended to enable the weaker algorithms and they exist primarily for backwards
compatibility.
TLS Restrictions
The following are restrictions that exist when using the TLS ALG:
• Client authentication is not supported (where NetDefend Firewall authenticates the identity
of the client).
• Renegotiation is not supported.
• Sending server key exchange messages is not supported which means the key in the
certificate must be sufficiently weak in order to use export ciphers.
• The certificate chain used by NetDefendOS can contain at most 2 certificates.
502
Chapter 6: Security Mechanisms